Skip to content

tools(oauth-draft): port Gmail OAuth helpers into framework#4

Merged
potiuk merged 1 commit into
mainfrom
port-oauth-draft
Apr 28, 2026
Merged

tools(oauth-draft): port Gmail OAuth helpers into framework#4
potiuk merged 1 commit into
mainfrom
port-oauth-draft

Conversation

@potiuk

@potiuk potiuk commented Apr 28, 2026

Copy link
Copy Markdown
Member

Summary

Ports the three Gmail OAuth scripts that previously lived at airflow-s/airflow-s:tools/gmail/oauth-draft/ into the framework as an installable Python project, mirroring the shape of the generate-cve-json port (#2).

The tool was already largely project-agnostic — the only adopter-specific bit was the default credentials path (~/.config/airflow-s/gmail-oauth.json), a holdover from when the tracker repo was named airflow-s. It now defaults to ~/.config/apache-steward/gmail-oauth.json, aligning with the <project-config>/apache-steward/ submodule convention.

Files added

  • tools/gmail/oauth-draft/pyproject.toml — three console scripts (oauth-draft-setup, oauth-draft-create, oauth-draft-mark-read). google-auth-oauthlib is the only runtime dep (used by setup); the other two commands are stdlib-only.
  • tools/gmail/oauth-draft/src/oauth_draft/credentials.py — shared Credentials dataclass, locate_credentials resolution, refresh_access_token, so the three commands don't duplicate the OAuth boilerplate.
  • tools/gmail/oauth-draft/src/oauth_draft/{setup_creds,create_draft,mark_threads_read}.py — one module per command, each with a thin main(argv) callable used by both the console-script entry point and the test suite.
  • tools/gmail/oauth-draft/src/oauth_draft/__init__.py — re-exports the three main functions.
  • tools/gmail/oauth-draft/tests/{__init__,test_credentials,test_create_draft,test_mark_threads_read}.py — 22 tests covering credential loading, path resolution, MIME building, the pure thread-header helper, and arg-parsing defaults. No tests hit the Gmail API. The originals carried no tests; this thin set gives the pre-commit pytest hook real coverage.
  • tools/gmail/oauth-draft/README.md — Run / Setup / How threading is guaranteed / Test / Lint sections, mirroring the generate-cve-json README. The one-time OAuth setup walkthrough that used to live in the airflow-s oauth-draft/README.md is folded in here.
  • tools/gmail/oauth-draft/{.gitignore,uv.lock} — standard.

Files updated

  • .pre-commit-config.yaml — added the four oauth-draft-* hooks (ruff-check, ruff-format, mypy, pytest), scoped to ^tools/gmail/oauth-draft/(src|tests|pyproject\.toml).
  • tools/gmail/{draft-backends,operations}.md — switched legacy script-path references (tools/gmail/oauth-draft/create_draft.py, setup_credentials.py) to the console-script invocation form (uv run --project <framework>/tools/gmail/oauth-draft oauth-draft-*). Default credentials path updated to ~/.config/apache-steward/gmail-oauth.json.
  • .claude/skills/{sync,allocate-cve,import,invalidate}-security-issue/SKILL.md — same default-path update; the sync skill also gets the console-script invocation.

Test plan

  • ✅ 22 tests pass against the new suite.
  • ✅ All four pre-commit hooks pass (ruff/ruff-format/mypy/pytest) plus the standard repo hooks (doctoc, end-of-file-fixer, etc.).
  • ✅ All three console scripts respond to --help correctly.

Coordination

A follow-up PR against airflow-s/airflow-s will delete the local tools/gmail/oauth-draft/ scripts there (they live in the framework now via submodule). Existing airflow-s users with credentials at the old ~/.config/airflow-s/gmail-oauth.json path can either move the file to ~/.config/apache-steward/ or set \$GMAIL_OAUTH_CREDENTIALS — that follow-up PR's body will flag this.

🤖 Generated with Claude Code

Ports the three Gmail OAuth scripts that previously lived at
`airflow-s/airflow-s:tools/gmail/oauth-draft/` into the framework as
an installable Python project, mirroring the shape of the
`generate-cve-json` port (PR #2).

The tool was already largely project-agnostic — the only adopter-
specific bit was the default credentials path
(`~/.config/airflow-s/gmail-oauth.json`), which was a holdover from
when the tracker repo was named `airflow-s`. It now defaults to
`~/.config/apache-steward/gmail-oauth.json`, aligning with the
`<project-config>/apache-steward/` submodule convention.

Files added:

- `tools/gmail/oauth-draft/pyproject.toml` — three console scripts
  (`oauth-draft-setup`, `oauth-draft-create`, `oauth-draft-mark-read`).
  `google-auth-oauthlib` is the only runtime dep (used by setup);
  the other two commands are stdlib-only.
- `tools/gmail/oauth-draft/src/oauth_draft/credentials.py` — shared
  `Credentials` dataclass, `locate_credentials` resolution, and
  `refresh_access_token` so the three commands don't duplicate the
  OAuth boilerplate.
- `tools/gmail/oauth-draft/src/oauth_draft/{setup_creds,create_draft,
  mark_threads_read}.py` — one module per command, each with a thin
  `main(argv)` callable used by both the console-script entry point
  and the test suite.
- `tools/gmail/oauth-draft/src/oauth_draft/__init__.py` — re-exports
  the three `main` functions.
- `tools/gmail/oauth-draft/tests/{__init__,test_credentials,
  test_create_draft,test_mark_threads_read}.py` — 22 tests covering
  credential loading, path resolution, MIME building, the pure
  thread-header helper, and arg-parsing defaults. No tests hit the
  Gmail API. The originals carried no tests; this thin set gives the
  pre-commit `pytest` hook real coverage.
- `tools/gmail/oauth-draft/README.md` — Run / Setup / How threading
  is guaranteed / Test / Lint sections, mirroring the
  generate-cve-json README. The one-time OAuth setup walkthrough
  that used to live in the airflow-s `oauth-draft/README.md` is
  folded in here.
- `tools/gmail/oauth-draft/{.gitignore,uv.lock}` — standard.

Files updated:

- `.pre-commit-config.yaml` — added the four `oauth-draft-*` hooks
  (ruff-check, ruff-format, mypy, pytest), scoped to
  `^tools/gmail/oauth-draft/(src|tests|pyproject\.toml)`.
- `tools/gmail/{draft-backends,operations}.md` — switched legacy
  script-path references (`tools/gmail/oauth-draft/create_draft.py`,
  `setup_credentials.py`) to the console-script invocation form
  (`uv run --project <framework>/tools/gmail/oauth-draft
  oauth-draft-*`). Default credentials path updated to
  `~/.config/apache-steward/gmail-oauth.json`.
- `.claude/skills/{sync,allocate-cve,import,invalidate}-
  security-issue/SKILL.md` — same default-path update; the sync
  skill also gets the console-script invocation.

Test plan:

- 22 tests pass against the new suite.
- All four pre-commit hooks pass (ruff/ruff-format/mypy/pytest)
  plus the standard repo hooks (doctoc, end-of-file-fixer, etc.).
- All three console scripts respond to `--help` correctly.

Coordination:

A follow-up PR against `airflow-s/airflow-s` will delete the local
`tools/gmail/oauth-draft/` scripts there (they live in the framework
now via submodule) and update local references to point at the
framework copy. Existing airflow-s users with credentials at the
old `~/.config/airflow-s/gmail-oauth.json` path can either move the
file to `~/.config/apache-steward/` or set
`\$GMAIL_OAUTH_CREDENTIALS` — that follow-up PR's body will flag
this.

Generated-by: Claude Code (Claude Opus 4.7)
@potiuk potiuk merged commit 60efac2 into main Apr 28, 2026
@andreahlert andreahlert added the mode:platform Substrate / infra — not a mode (sandbox, CI, validators) label May 7, 2026
potiuk added a commit that referenced this pull request May 30, 2026
…erns from session manual cleanups (#402)

Per direct observations from the airflow-s 2026-05-29/30 bulk sync —
two recurring title-noise patterns were cleaned manually that the
existing cascade did not catch:

1. Trailing prior-CVE-relationship parentheticals — the cross-CVE
   relationship is structurally captured by the Gate #3 cross-CVE
   clause in the public summary; embedding the relationship in the
   title is noise to downstream advisory consumers. Catches every
   shape observed in this session:
   - `(CVE-YYYY-NNNNN)`
   - `(possible CVE-YYYY-NNNNN variant)` — from #345
   - `(incomplete fix for CVE-YYYY-NNNNN)` — from #351
   - `(fix-bypass of CVE-YYYY-NNNNN)` — from #352
   - and any other `(... CVE-YYYY-NNNNN ...)` shape

2. Trailing reporter-name attribution parentheticals — reporter
   attribution lives in the credits field, never in the public
   title. Pattern matches `(<name> follow-up)` where `<name>`
   matches name-like tokens (word chars, dots, hyphens, single
   inline spaces) to avoid over-stripping substantive technical
   content. Catches:
   - `(Evan Ricafort follow-up)` — from #346

Substantive technical parentheticals stay intact — e.g. the operator-
name list `(GCSToSFTPOperator + GCSTimeSpanFileTransformOperator)` on
the GCS path-traversal tracker is NOT stripped (it lacks a CVE ID
and doesn't end in `follow-up`).

The matching Step 1d signal row in security-issue-sync now enumerates
the two new patterns so the proposal-time detector and the pre-push
Gate #4 stay in lock-step with the cascade.

Validated against 9 cases: 4 session-derived fixes (all pass), 3
synthetic CVE-relationship variants (all pass), 1 substantive
technical parenthetical (preserved correctly), 1 "<word> follow-up"
edge case (stripped as designed — narrow scope acceptable since
"follow-up" titles in airflow-s are exclusively reporter-attribution).

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
potiuk pushed a commit that referenced this pull request Jul 3, 2026
…ymise historical dev-list reference (#696)

* fix(pr-management-triage): generalise security-list coupling and anonymise historical dev-list reference

Low-confidence asf-coupling pass (spec-loop work item #4).

- comment-templates.md: replace hardcoded `security@apache.org` with
  `<security-list>` placeholder; remove ASF-specific URL from security
  vulnerability-handling prose; remove internal "dev@ thread with Elad"
  cross-reference
- rationale.md: anonymise motivating-problem paragraph — project-specific
  mailing list name and individual names replaced with generic phrasing
- SKILL.md: remove "dev@ thread with Elad" reference from triage_feedback_channel description
- specs/project-agnosticism.md: extend Known Gaps entry to document
  the specific fixes made in this pass

The validator already produces 0 asf-coupling warnings (org-scoped
skills are suppressed by the `organization: ASF` frontmatter added in
0073ae8). The real coupling was in sub-documents not checked by the
validator — `comment-templates.md` is posted verbatim to GitHub PRs, so
a hardcoded `security@apache.org` was a genuine blocker for non-ASF
adopters. `<security-list>` resolves from `<project-config>/project.md`
→ `mailing_lists.security` at run time.

Generated-by: Claude (Opus 4.7)

* fix issue with unreleated README file
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

mode:platform Substrate / infra — not a mode (sandbox, CI, validators)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants